Web Enumeration

Introduction to Gobuster

allows you to scan the website, but it will return the status codes as well. also allows for searching files.

Useful Global Flags

Flag Long Flag Description

-t --threads Number of concurrent threads (default 10) to increase speed of scans (64)

-v --verbose Verbose output

-z --no-progress Don't display progress

-q --quiet Don't print the banner and other noise

-o --output Output file to write results to

dir mode

allows the user to enumerate website directories for pentesting

goburster dir - directory search

-u -w: Add URL and wordlist

full command : gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

-c --cookies Cookies to use for requests

-x --extensions File extension(s) to search for

-H --headers Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'

-k --no-tls-validation Skip TLS certificate verification

-n --no-status Don't print status codes

-P --password Password for Basic Auth

-s --status-codes Positive status codes

-b --status-codes-blacklist Negative status codes

-U --username Username for Basic Auth

use it's -x or --extensions flag to search for the contents of directories. a command that would allow us to search the "myfolder" directory on a webserver for the following three files: 1. html 2. js 3. css

gobuster dir -u http://10.10.252.123/myfolder -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x.html,.css,.js

-k flag will bypass invalid certificate error and continue scanning and deliver the goods!

dns Mode

allows Gobuster to brute-force subdomains

to use dns mode - gobuster dns

gobuster dns -d mydomain.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

-c --show-cname Show CNAME Records (cannot be used with '-i' option)

-i --show-ips Show IP Addresses

-r --resolver Use custom DNS server (format server.com or server.com:port)

vhost mode

to brute-force virtual hosts, virtual hosts are different websites on the same machine

gobuster vhost - to use vhost

gobuster vhost -u http://example.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

Useful Wordlists

Kali Linux Default Lists

SecLists - sudo apt install seclists

to add "webenum.thm" to your /etc/hosts:

echo "MACHINE_IP webenum.thm" >> /etc/hosts

to add any virtual hosts

echo "10.10.138.10 mysubdomain.webenum.thm" >> /etc/hosts

WPScan

WPScan is capable of discovering on a system running WordPress

--enumerate t: look for theme (wpscan --url http://wpscan.thm --enumerate t)

--enumerate p: look for plugins (wpscan --url http://wpscan.thm --enumerate p)

--enumerate u - brute forcing usernames ( wpscan --url http://wpscan.thm --enumerate u)

--enumerate vp - vulnerable scans

--plugins-detection aggressive: aggressive

"Directory Listing" occurs when there is no file present that the webserver has been told to process. common file is "index.html" and "index.php".

for password attack - wpscan –-url http://cmnatics.playground –-passwords rockyou.txt –-usernames cmnatic

(wpscan --url http://wpscan.thm --passwords '/root/Tools/wordlists/rockyou.txt')

WPScan will try to be as least "noisy" as possible. Lots of requests to a web server can trigger things such as firewalls and ultimately result in you being blocked by the server.

we can use arguments such as --plugins-detection and an aggressiveness profile (passive/aggressive) to specify this. For example: --plugins-detection aggressive.

Nikto:

vulnerability scanner, performing an assessment on all types of webservers (and isn't application-specific such as WPScan.

can be used to discover possible vulnerabilities including

Sensitive files

Outdated servers and programs (i.e. vulnerable web server installs)

Common server and software misconfigurations (Directory indexing, cgi scripts, x-ss protections)

can be installed by a simple sudo apt update && sudo apt install nikto

Modes:

nikto -h ip_domain_name - basic scan

nikto -h 10.10.10.1 -p 80,8000,8080 - scanning multiple ports on one specific host

For example, we can scan 172.16.0.0/24 (subnet mask 255.255.255.0, resulting in 254 possible hosts) with Nmap (using the default web port of 80) and parse the output to Nikto like so:

nmap -p80 172.16.0.0/24 -oG - | nikto -h - (#nmap --allports 10.10.139.215 -oG - | nikto -h -)

--list-plugins - list the plugins

-Plugin apacheuser: Specify the plugin we wish to use and the name of the plugin

-Display: Increase Verbose

1 Show any redirects that are given by the web server.

2 Show any cookies received ( #nikto -h 10.10.139.215 -p 8080 -D 2)

E Output any errors

-Tuning: Tuning Your Scan for Vulnerability Searching

Tuning options

File Upload - 0

Misconfigurations / Default Files - 2

Information Disclosure - 3

Injection - 4

Command Execution - 8

SQl Injection - 9

-o -Output: Save findings (Text file, HTML)

cURL

In the previous section, we saw how using the -v flag with cURL shows us the full details of the HTTP request and response. If we were only interested in seeing the response headers, then we can use the -I flag to send a HEAD request and only display the response headers. Furthermore, we can use the -i flag to display both the headers and the response body (e.g. HTML code). The difference between the two is that -I sends a HEAD request (as will see in the next section), while -i sends any request we specify and prints the headers as well.

curl -I https://www.inlanefreight.com

PreviousMetaspolitNextWhat the Shell

Last updated